-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ilka,
thanks for your report. On 07/05/15 16:11, Ilkka Virta wrote: > Package: libpam-ssh > Version: 2.01-2 > Severity: important > > > Description of libpam-ssh says: > - during authentication, the user types a SSH passphrase and is > authenticated if the passphrase successfully decrypts the user's SSH > private keys; > > However, because of the way the module is installed in > /etc/pam.d/common-auth, > it cannot actually authenticate the user. With the generated configuration > (below), if pam_unix (or all of the primary) authentication modules fail, the > requisite pam_deny.so will trigger and stop the processing of modules. pam_ssh > then never gets a chance to authenticate. Logging in with the correct pam_unix > password runs pam_ssh, but if the passphrase for the key is different, the > key > is never unlocked. > > pam_ssh also never seems to ask for the passphrase, even if the password > given earlier doesn't unlock the key. (regardless of whether use_first_pass, > try_first_pass or neither is given) > > > generated /etc/pam.d/common-auth: > ------------------------- > # here are the per-package modules (the "Primary" block) > auth [success=1 default=ignore] pam_unix.so nullok_secure > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > auth required pam_permit.so > # and here are more per-package modules (the "Additional" block) > auth optional pam_ssh.so use_first_pass > # end of pam-auth-update config > ------------------------- > > Examples: > > User kenny has a key in ~kenny/.ssh/login-keys.d/id_rsa, > passphrase is "keysecret". The unix password is "password". > > > trying to login with the unix pw doesn't unlock the key: > > root@plink:~# ssh kenny@localhost 'ssh-add -l ' > kenny@localhost's password: [password] > The agent has no identities. > > > trying to login with key passphrase doesn't work at all... > > root@plink:~# ssh kenny@localhost 'ssh-add -l ' > kenny@localhost's password: [keysecret] > Permission denied, please try again. > > > however, if the password and key passphrase are the same, the login succeeds > and the key is unlocked: > > root@plink:~# echo "kenny:keysecret" | chpasswd > root@plink:~# ssh kenny@localhost 'ssh-add -l ' > kenny@localhost's password: [keysecret] > 2048 15:5b:72:4a:73:2b:c4:cf:d1:9d:4c:94:a2:d5:36:e6 > /home/kenny/.ssh/login-keys.d/id_rsa (RSA) > > > Installing pam_ssh manually What must I read by manually ? in the primary block (as below), results in > the behaviour I would have expected. > > # here are the per-package modules (the "Primary" block) > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_ssh.so try_first_pass debug > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # ... > > Have you tried with the version in experimental ? Thanks, Jerome > > -- System Information: > Debian Release: 8.0 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libpam-ssh depends on: > ii libc6 2.19-18 > ii libpam-runtime 1.1.8-3.1 > ii libpam0g 1.1.8-3.1 > ii libssl1.0.0 1.0.1k-3 > ii multiarch-support 2.19-18 > > Versions of packages libpam-ssh recommends: > pn libpam-tmpdir <none> > ii openssh-client [ssh-client] 1:6.7p1-5 > > libpam-ssh suggests no packages. > > -- no debconf information > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVS3qIAAoJEIC/w4IMSybjSF8IAKHOPK2NTVbNcU6W1ng+oSA0 ianY7aWQZcB8YZoEFHmjNuRN/mN6OGY3RthbOGPYWxnvxMQKFa8hbQvrzQYfCbZB vLnRyRIvCDsDJ1EQBaQ0TtgAGnmjwx8Xm9y6RZfYmkF0VcnsIzLtxWUewL7z1pUT fkKUzNi9I8c2f+5BaelD8u8VRyzCvfcYpIxUw3I6LfxLbM3/jc3KbMoItRKrBepS Ko8tM8V+IblIDZ1NCK06bVtnhoU5z5MKWW+Evqz15jG69P37nmNE5JU7KQu3Jsub i3bwMrjjqbxL3svroqDDZHzRMPYmlnI+cF6nRqAjopthN7ImCilaqNWyWdu1evA= =pAOg -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
